Dex service account destroyed by operator about gitops-operator HOT 22 CLOSED

Hi @iam-veeramalla, I confirm it works.

On my side, the SSO is working correctly on a OKD 4.7.

As @davidkarlsen said, there is no way to access the doc describing the procedure.

Thanks,

Yes, This doc is not available public-ally, My bad for sharing this. Sharing the steps below that are mentioned in the docs.

Set DISABLE_DEX env variable to false. Example shown below.

spec:
  config:
    env:
    - name: DISABLE_DEX
      Value: "false"

You can enable RBAC on argo-cd by following the instructions provided in the argo-cd RBAC Configuration. Example RBAC configuration looks like this.

spec:
  dex:
    openShiftOAuth: true
  rbac:
    defaultPolicy: 'role:readonly'
    policy: |
      g, system:cluster-admins, role:admin
    scopes: '[groups]'

from gitops-operator.

This works for me on a OSD 4.7 cluster, enables both real TLS (using the cluster route's default wildcard cert) and SSO to openshift

$ oc patch subscription openshift-gitops-operator -n openshift-operators --type=merge -p='{"spec":{"config":{"env":[{"name":"DISABLE_DEX","Value":"false"}]}}}'

$ oc patch argocd openshift-gitops -n openshift-gitops --type=merge -p='{"spec":{"dex":{"openShiftOAuth":true},"rbac":{"defaultPolicy":"role:readonly","policy":"g, system:cluster-admins, role:admin","scopes":"[groups]"}}}'

$ oc patch argocd openshift-gitops -n openshift-gitops --type=merge -p='{"spec":{"server":{"insecure":true,"route":{"enabled":true,"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"edge"}}}}}'

from gitops-operator.

Hi @pbriet ,

Dex is currently disabled by default in gitops-operator. To enable Dex, Please set the below env variable in subscription resource as mentioned below.

spec:
  config:
    env:
    - name: DISABLE_DEX
      Value: "false"

A complete guide to setup dex for gitops_operator is available here.
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#heading=h.aaosp4vcdtza

from gitops-operator.

The DISABLE_DEX env variable, is that in the argoCD-resource?

No, it's for the operator deployment.

so in the kind: CatalogSource?

@fredcb its is in the subscription resource

openshift-operators -> subscriptions -> openshift-gitops-operator "edit subscription"

spec:
...
  config:
    env:
      - name: DISABLE_DEX
        value: 'false'
....

from gitops-operator.

^ I feel like these should be defaults, otherwise the first time user experience isn't great. Until then we should update the docs to clarify that they need to accept a self-signed cert in their browser so they know its to be expected.

from gitops-operator.

As far as I have learned from Redhat the dex server and integration with OpenShift oauth is no longer supported. They suggest using Keycloak instead. So far a lot less user friendly experience
…
On Mon, 19 Jul 2021 at 14:12, Elytscha @.***> wrote: ^ I feel like these should be defaults, otherwise the first time user experience isn't great. Until then we should update the docs to clarify that they need to accept a self-signed cert in their browser so they know its to be expected. indeed, with those 3 patch commands the first time user experience is a lot better! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#76 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE5T64W62JSDJEF647ME4FTTYQJC5ANCNFSM4ZAS4CJQ .

i know, but sounds to complicated to run a tool (keycloak or redhat sso) which no one at the company knows.
'ain't nobody got time for that'

it sounds not so complicated to use the already existent openshift oauth

from gitops-operator.

Hi @pbriet ,

Dex is currently disabled by default in gitops-operator. To enable Dex, Please set the below env variable in subscription resource as mentioned below.

spec:
  config:
    env:
    - name: DISABLE_DEX
      Value: "false"

A complete guide to setup dex for gitops_operator is available here.
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#heading=h.aaosp4vcdtza

That document is not available publicly. I requested access.

from gitops-operator.

Hi @pbriet ,

Dex is currently disabled by default in gitops-operator. To enable Dex, Please set the below env variable in subscription resource as mentioned below.

spec:
  config:
    env:
    - name: DISABLE_DEX
      Value: "false"

A complete guide to setup dex for gitops_operator is available here.
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#heading=h.aaosp4vcdtza

@pbriet did this work for you ?

from gitops-operator.

It works (i.e. dex will be deployed) when enabling that flag on the operator. However SSO with the built-in OCP oauth fails after a timeout. And also dex is affected by #92

from gitops-operator.

The docs you refer to are still closed, so they are useless.

from gitops-operator.

Hi @iam-veeramalla, I confirm it works.

On my side, the SSO is working correctly on a OKD 4.7.

As @davidkarlsen said, there is no way to access the doc describing the procedure.

Thanks,

from gitops-operator.

The DISABLE_DEX env variable, is that in the argoCD-resource?

from gitops-operator.

The DISABLE_DEX env variable, is that in the argoCD-resource?

No, it's for the operator deployment.

from gitops-operator.

The DISABLE_DEX env variable, is that in the argoCD-resource?

No, it's for the operator deployment.

so in the kind: CatalogSource?

from gitops-operator.

The DISABLE_DEX env variable, is that in the argoCD-resource?

No, it's for the operator deployment.

so in the kind: CatalogSource?

@fredcb its is in the subscription resource

from gitops-operator.

@davidkarlsen Thanks for the very clear answer :-). I been working only with argocd's operator so far, so I wasn't aware you had another resource type in this one.

from gitops-operator.

Can we add toggles to the argocd CR to allow the users to do the following:

1. enable dex
2. sub-option is to enable SSO with openshift

from gitops-operator.

It would be great,if the configuration of the subscription would be documented anywhere. I'm a cluster-admin and was wondering why my Argo CD deployed with the GitOps Operator doesn't work. Perhaps there are other config issues, that will appear, when I try to configure other things in Argo CD??? I'm coming from the Argo CD community operator and woud like to take my configurations to the GitOps Operator....

from gitops-operator.

^ I feel like these should be defaults, otherwise the first time user experience isn't great. Until then we should update the docs to clarify that they need to accept a self-signed cert in their browser so they know its to be expected.

indeed, with those 3 patch commands the first time user experience is a lot better!

from gitops-operator.

from gitops-operator.

for info, redhat "solution"
https://access.redhat.com/solutions/6131481
is indeed to tell you they don't support dex.

from gitops-operator.

From v1.3.0 version of OpenShift-GitOps we support Dex OpenShift Connector. Dex is installed by default and can be configured for "Login With OpenShift" by adding .spec.dex.openShiftOAuth: true to the Argo CD Spec.

Please feel free to reopen the issue, if you still see this after upgrading to v1.3.0.

from gitops-operator.